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Abstract. In this paper, we prove classical coin-flipping secure in the presence of quantum adver- 
saries. The proof uses a recent result of Watrous [Wat09] that allows quantum rewinding for protocols 
of a certain form. We then discuss two applications. First, the combination of coin-flipping with 
any non-interactive zero-knowledge protocol leads to an easy transformation from non-interactive 
zero-knowledge to interactive quantum zero-knowledge. Second, we discuss how our protocol can be 
applied to a recently proposed method for improving the security of quantum protocols [DFL^09], 
resulting in an implementation without set-up assumptions. Finally, we sketch how to achieve effi- 
cient simulation for an extended construction in the common-reference-string model. 
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1 Introduction 

In this paper, we are interested in a standard coin- flipping protocol with classical messages 
exchange but where the adversary is assumed to be capable of quantum computing. Secure coin- 
flipping allows two parties Alice and Bob to agree on a uniformly random bit in a fair way, i.e., 
neither party can influence the value of the coin to his advantage. The (well-known) protocol 
proceeds as follows: Alice commits to a bit a, Bob then sends bit b, Alice opens the commitment 
and the resulting coin is the exclusive disjunction of both bits, i.e. coin = a ® 6. 

For Alice's commitment to her first message, we assume a classical bit commitment scheme. 
Intuitively, a commitment scheme allows a player to commit to a value, while keeping it hidden 
{hiding property) but preserving the possibility to later reveal the value fixed at commitment time 
(binding property). More formally, a bit commitment scheme takes a bit and some randomness 
as input. The hiding property is formalized by the non-existence of a distinguisher able to 
distinguish with non-negligible advantage between a commitment to and a commitment to 
1. The binding property is fulfilled, if it is infeasible for a forger to open one commitment to 
both values and 1. The hiding respectively binding property holds with unconditional (i.e. 
perfect or statistical) security in the classical and the quantum setting, if the distinguisher 
respectively the forger is unrestricted with respect to his (quantum-) computational power. In 
case of a polynomial-time bounded classical distinguisher respectively forger, the commitment 
is computationally hiding respectively binding. The computationally hiding property translates 
to the quantum world by simply allowing the distinguisher to be quantum. However, the case of 
a quantum forger can not be handled in such a straightforward manner, due to the difficulties 
of rewinding in general quantum systems (see e.g. [Gra97,DFS04,Wat09] for discussions). 

For our basic coin-flip protocol, we assume the commitment to be unconditionally binding and 
computationally hiding against a quantum adversary} Thus, we achieve unconditional security 
against cheating Alice and quantum-computational security against dishonest Bob. Such a com- 
mitment scheme follows, for instance, from any pseudorandom generator [Nao91], secure against 
a quantum distinguisher. Even though the underlying computational assumption, on which the 
security of the embedded commitment is based, withstands quantum attacks, the security proof 
of the entire protocol and its integration into other applications could previously not be naturally 
translated from the classical to the quantum world. Typically, security against a classical adver- 
sary is argued using rewinding of the adversary. But in general, rewinding as a proof technique 



^ Recall that unconditionally secure commitments, i.e. unconditionally hiding and binding at the same time, are 
impossible in both the classical and the quantum world. 



cannot be directly applied, if Bob runs a quantum computer: First, the intermediate state of a 
quantum system cannot be copied [WZ82], and second, quantum measurements are in general 
irreversible. Hence, in order to produce a classical output, the simulator had to (partially) mea- 
sure the quantum system without copying it beforehand, but then it would become generally 
impossible to reconstruct all information necessary for correct rewinding. For these reasons, no 
simple and straightforward security proofs for the quantum case were previously known. 

In this paper, we show the most natural and direct quantum analogue of the classical security 
proof for standard coin- flipping, by using a recent result of Watrous [Wat09] . Watrous showed 
how to construct an efficient quantum simulator for quantum verifiers for several zero-knowledge 
proof systems such as graph isomorphism, where the simulation relies on the newly introduced 
quantum rewinding theorem. We now show that his quantum rewinding argument can also be 
applied to classical coin-flipping in a quantum world. 

By calling the coin-flip functionality sequentially a sufHcient number of times, the communi- 
cating parties can interactively generate a common random string from scratch. The generation 
can then be integrated into other (classical or quantum) cryptographic protocols that work in the 
common-reference-string model. This way, several interesting applications can be implemented 
entirely in a simple manner without any set-up assumptions. Two example applications are 
discussed in the second part of the paper. 

The first application relates to zero-knowledge proof systems, an important building block for 
larger cryptographic protocols. Recently, Hallgren et al. [HKSZ08] showed that any honest veri- 
fier zero-knowledge protocol can be made zero-knowledge against any classical and quantum ver- 
ifier. Here we show a related result, namely, a simple transformation from non-interactive (quan- 
tum) zero-knowledge to interactive quantum zero-knowledge. A non-interactive zero-knowledge 
proof system can be trivially turned into an interactive honest verifier zero-knowledge proof 
system by just letting the verifier choose the reference string. Therefore, this consequence of our 
result also follows from [HKSZ08]. However, our proof is much simpler. In general, the difference 
between us and [HKSZ08] is that our focus is on establishing coin-flipping as a stand-alone tool 
that can be used in several contexts rather than being integrated in a zero-knowledge construc- 
tion as in [HKSZ08]. 

As second application we discuss the interactive generation of a common reference string for 
the general compiler construction improving the security of a large class of quantum protocols 
that was recently proposed in [DFL"'"09]. Applying the compiler, it has been shown how to 
achieve hybrid security in existing protocols for password-based identification [DFSS07] and 
oblivious transfer [BBCS91] without significant efficiency loss, such that an adversary must have 
both large quantum memory and large computing power to break the protocol. Here we show 
how a common reference string for the compiler can be generated from scratch according to the 
specific protocol requirements in [DFL+09]. 

Finally, we sketch an extended commitment scheme for quantum-secure coin-flipping in the 
common-reference-string model. This construction can be efficiently simulated without the need 
of rewinding, which is necessary to claim universal composability. 

2 Preliminciries 
2.1 Notation 

We assume the reader's familiarity with basic notation and concepts of quantum information 
processing as in standard literature, e.g. [NCOO]. Furthermore, we will only give the details of 
the discussed applications that are most important in the context of this work. A full description 
of the applications can be found in the referenced papers. 

We denote by negl{n) any function of n, if for any polynomial p it holds that negl{n) < l/p(n) 
for large enough n. As a measure of closeness of two quantum states p and o", their trace distance 
(5(p, 0") = ^tr(|p — c7|) or square-fidelity {p\a\p) can be applied. A quantum algorithm consists of 
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a family {Cn}nGf^ of quantum circuits and is said to run in polynomial time, if the number of 

gates of Cn is polynomial in n. Two families of quantum states {pnjneN and {(7„}„gN are called 

q 

quantum- computationally indistinguishable, denoted /9 ~ o", if any polynomial-time quantum 
algorithm has negligible advantage in n of distinguishing p„ from c7„. Analogously, they are 
statistically indistinguishable, denoted p ^ a, ii their trace distance is negligible in n. For the 
reverse circuit of qiiantum circuit Q, we use the standard notation for the transposed, complex 
conjugate operation, i.e. The controUed-NOT operation (CNOT) with a control and a target 
qubit as input flips the target qubit, if the control qubit is 1. In other words, the value of the 
second qubit corresponds to the classical exclusive disjunction (XOR). A phase-flip operation 
can be described by Pauli operator Z. For quantum state p stored in register R we write \p)ji- 

2.2 Definition of Security 

We follow the framework for defining security which was introduced in [FS09] and also used 
in [DFL+09]. Our cryptographic two-party protocols run between player Alice, denoted by A, 
and player Bob (B). Dishonest parties are indicated by A* and B*, respectively. The security 
against a dishonest player is based on the real/ideal-world paradigm that assumes two different 
worlds: The real-world that models the actual protocol IT and the ideal-world based on the ideal 
functionality that describes the intended behavior of the protocol. If both executions are 
indistinguishable, security of the protocol in real life follows. In other words, a dishonest real- 
world player P* that attacks the protocol cannot achieve (significantly) more than an ideal-world 
adversary P* attacking the corresponding ideal functionality. 

More formally, the joint input state consists of classical inputs of honest parties and possibly 
quantum input of dishonest players. A protocol 71 consists of an infinite family of interactive 
(quantum) circuits for parties A and B. A classical (non-reactive) ideal functionality is given 
by a conditional probability distribution PT(inA,inB)\inAinB^ inducing a pair of random variables 
[out At outs) = J-{inA,inB) for every joint distribution of in^ and ins, where inp and outp 
denote party P's in- and output, respectively. For the definition of (quantum-) computational 
security against a dishonest Bob, a polynomial-size (quantum) input sampler is considered, which 
produces the input state of the parties. 

Definition 2.1 (Correctness). A protocol II correctly implements an ideal classical function- 
ality J^, if for every distribution of the input values of honest Alice and Bob, the resulting common 
outputs of n and are statistically indistinguishable. 

Definition 2.2 (Unconditional security against dishonest Alice). A protocol II imple- 
ments an ideal classical functionality T unconditionally securely against dishonest Alice, if for 
any real-world adversary A*, there exists an ideal-world adversary A* , such that for any in- 
put state it holds that the output state, generated by A* through interaction with honest B in 
the real-world, is statistically indistinguishable from the output state, generated by A* through 
interaction with T and A* in the ideal-world. 

Definition 2.3 ((Quantum-) Computational security against dishonest Bob). A proto- 
col n implements an ideal classical functionality T (quantum-) computationally securely against 
dishonest Bob, if for any (quantum-) computationally bounded real-world adversary B* , there ex- 
ists a (quantum-) computationally bounded ideal-world adversary B* , such that for any efficient 
input sampler, it holds that the output state, generated by B* through interaction with honest A in 
the real-world, is (quantum-) computationally indistinguishable from the output state, generated 
by B* through interaction with T and B* in the ideal-world. 

For more details and a definition of indistinguishability of quantum states, see [FS09] . There, 
it has also been shown that protocols satisfying the above definitions compose sequentially in a 
classical environment. Furthermore, note that in Definition 2.2, we do not necessarily require the 
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ideal- world adversary A* to be efficient. We show in Section 5 fiow to extend our coin-flipping 

construction such that we can achieve an efficient simulator. 

The coin-flipping scheme in Section 5 as well as the example applications in Sections 4.1 
and 4.2 work in the common-reference-string (CRS) model. In this model, all participants in the 
real- world protocol have access to a classical public CRS, which is chosen before any interaction 
starts, according to a distribution only depending on the security parameter. However, the 
participants in the ideal-world interacting with the ideal functionality do not make use of the 
CRS. Hence, an ideal- world simulator P* that operates by simulating a real- world adversary P* 
is free to choose a string in any way he wishes. 

3 Quantum-Secure Coin-Flipping 
3.1 The Coin-Flip Protocol 

Let n indicate the security parameter of the commitment scheme which underlies the protocol. 
We use an unconditionally binding and quantum- computationally hiding commitment scheme 
that takes a bit and some randomness r of length I as input, i.e. com : {0, 1} x {0, 1}' {0, l}'"*"^. 
The unconditionally binding property is fulfilled, if it is impossible for any forger to open one 
commitment to both and 1, i.e. to compute r,r' such that com{0,r) = com{l,r'). Quantum- 
computationally hiding is ensured, if no quantum distinguisher can distinguish between com{0, r) 
and com{l, r') for random r, r' with non-negligible advantage. As mentioned earlier, for a specific 
instantiation we can use, for instance, Naor's commitment based on a pseudorandom genera- 
tor [Nao91]. This scheme does not require any initially shared secret information and is secure 
against a quantum distinguisher. ^ 

We let Alice and Bob run the Coin — Flip Protocol (see Fig. 1), which interactively gen- 
erates a random and fair coin in one execution and does not require any set-up assumptions. 
Correctness is obvious by inspection of the protocol: If both players are honest, they indepen- 
dently choose random bits. These bits are then combined via exclusive disjunction, resulting in 
a uniformly random coin. 



Coin — Flip Protocol 

1. A chooses a Gr {0, 1} and computes corn{a, r). She sends com{a,r) to B. 

2. B chooses 6 Gfl {0, 1} and sends b to A. 

3. A sends open{a, r) and B checks if the opening is valid. 

4. Both compute com = a®b. 



Fig. 1. The Coin-Fhp Protocol. 



The corresponding ideal coin-flip functionality .?-coiN is described in Figure 2. Note that 

dishonest A* may refuse to open com{a,r) in the real-world after learning B's input. For this 
case, .FcoiN allows her a second input refuse, leading to output fail and modeling the abort of 
the protocol. 

3.2 Security 

Theorem 3.1. The Coin — Flip Protocol is unconditionally secure against any unbounded 
dishonest Alice according to Definition 2.2, provided that the underlying commitment scheme is 
unconditionally binding. 

^ We describe the commitment scheme in this simple notation. However, if it is based on a specific scheme, 
e.g. [Nao91], the precise notation has to be slightly adapted. 
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Ideal Functionality J-co\N- 

Upon receiving requests start from Alice and Bob, Tcom outputs a uniformly random coin to Alice. It then 
waits to receive Alice's second input ok or refuse and outputs coin or fail to Bob, respectively. 



Fig. 2. The Ideal Coin-Flip Functionality. 

Proof. We construct an ideal-world adversary A*, such that the real output of the protocol is 
statistically indistinguishable from the ideal output produced by A*, J^co\n and A*. 



Ideal — World Simulation A*: 

1. Upon receiving com{a,r) from A*, A* sends start and then ok to .?xoin as first and second input, 
respectively, and receives a uniformly random coin. 

2. A* computes a and r from com{a,r). 

3. A* computes b = coin (B a and sends 6 to A*. 

4. A* waits to receive A*'s last message and outputs whatever A* outputs. 



Fig. 3. The Ideal- World Simulation A*. 

First note that a,r and €0171(0, r) are chosen and computed as in the real protocol. Prom 
the statistically binding property of the commitment scheme, it follows that A*'s choice bit a is 
uniquely determined from com{a,r), since for any com, there exists at most one pair (a,r) such 
that com = com{a,r) (except with probability negligible in n). Hence in the real- world, A* is 
unconditionally bound to her bit before she learns B's choice bit, which means a is independent 
of h. Therefore in Step 2, the simulator can correctly (but not necessarily efficiently) compute a 
(and r). Note that, in the case of unconditional security, we do not have to require the simulation 
to be efficient. We show in Section 5 how to extend the commitment in order to extract A*'s 
inputs efficiently. Finally, due to the properties of XOR, A* cannot tell the difference between the 
random h computed (from the ideal, random coin) in the simulation in Step 3 and the randomly 
chosen b of the real-world. It follows that the simulated output is statistically indistinguishable 
from the output in the real protocol. □ 

To prove security against any dishonest quantum-computationally bounded B*, we show that 
there exists an ideal-world simulation B* with output quantum-computationally indistinguish- 
able from the output of the protocol in the real-world. In a classical simulation, where we can 
simply use rewinding, a polynomial-time simulator works as follows. It inquires coin from .FcoiN; 
chooses random a and r, and computes h' = coin® a as well as com{a, r). It then sends com{a, r) 
to B* and receives B*'s choice bit 6. If 6 = 6', the simulation was successful. Otherwise, the 
simulator rewinds B* and repeats the simulation. Note that our security proof should hold also 
against any quantum adversary. The polynomial-time quantum simulator proceeds similarly to 
its classical analogue but requires quantum registers as work space and relies on the quantum 
rewinding lemma of Watrous [Wat09] (see Lemma 3.3). 

In the paper, Watrous proves how to construct a quantum zero-knowledge proof system 
for graph isomorphism using his (ideal) quantum rewinding lemma. The protocol proceeds as 
a i7-protocol, i.e. a protocol in three-move form, where the verifier flips a single coin in the 
second step and sends this challenge to the prover. Since these are the essential aspects also in 
our Coin — Flip Protocol, we can apply Watrous' quantum rewinding technique (with slight 
modifications) as a black-box to our protocol. We also follow his notation and line of argument 
here. For a more detailed description and proofs, we refer to [Wat09]. 
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Theorem 3.2. The Coin — Flip Protocol is quantum-computationally secure against any 

polynomial-time bounded, dishonest Bob according to Definition 2.3, provided, that the underlying 
commitment scheme is quantum-computationally hiding and the success probability of quantum 
rewinding achieves a non-negligible lower bound pq. 

Proof. Let W denote B*'s auxiliary input register, containing an n-qubit state \t].)). Furthermore, 
let V and B denote B*'s work space, where V is an arbitrary polynomial-size register and B is 
a single qubit register. A's classical messages are considered in the following as being stored in 
quantTini registers Ai and A2. In addition, the quantum simulator uses registers i?, containing 
all possible choices of a classical simulator, and G, representing its guess b' on B*'s message b 
in the second step. Finally, let X denote a working register of size k, which is initialized to the 
state |0*^) and corresponds to the collection of all registers as described above except W. 

The quantum rewinding procedure is implemented by a general quantum circuit Rcoin with 
input (PF^, X, B*, coin). As a first step, it applies a unitary (n, A;)-quantum circuit Q to {W,X) 
to simulate the conversation, obtaining registers {G,Y). Then, a test takes place to observe 
whether the simulation was successful. In that case, Rcoin outputs the resulting quantum register. 
Otherwise, it quantumly rewinds by applying the reverse circuit on (G, Y) to retrieve {W, X) 
and then a phase-flip transformation on X before another iteration of Q is applied. Note that 
Rcoin is essentially the same circuit as R described in [Wat09], but in our application it depends 
on the value of a given coin, i.e., we apply Rq or i?i for com = or com = 1, respectively. In 
more detail, Q transforms {W, X) to (G, Y) by the following unitary operations: 

(1) It first constructs the superposition 

irf m I"' r)R\com{a, r))^^ |6' = com a)Q\open{a, r))^^ 10)^ 0^') |^) 



where k' < k. Note that the state of registers {Ai, G, A2) corresponds to a uniform distribu- 
tion of possible transcripts of the interaction between the players. 
(2) For each possible com{a,r), it then simulates B*'s possible actions by applying a unitary 
operator to (W,V, B, Ai) with Ai as control: 



=fff I"' r)R\com{a, r))^j6'>g|open(a, r))^J6)j 



V 



where 4> and ip describe modified quantum states. 
(3) Finally, a CNOT-operation is applied to pair {B, G) with B as control to check whether the 
simulator's guess of B*'s choice was correct. The result of the CNOT-operation is stored in 
register G. 



V 



If we denote with Y the register that contains the residual ri-\-k —1 -qubit state, the transfor- 
mation from {W, X) to (G, Y) by applying Q can be written as 



Y ' 



where < p < 1 and \(t>good{''P)) denotes the state, we want the system to be in for a successful 
simulation. Rcxnn then measures the qubit in register G with respect to the standard basis, which 
indicates success or failure of the simulation. A successful execution (where b = h') results in 
outcome with probability p. In that case, Rcoin outputs Y . A measurement outcome 1 indicates 
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6 7^ 6', in which case Rcoin quantumly rewinds the system, apphes a phase-flip (on register X) 
and repeats the simulation, i.e. 



Watrous' ideal quantum rewinding lemma (without perturbations) then states the following: 
Under the condition that the probability p of a successful simulation is non-negligible and in- 
dependent of any auxiliary input, the output p(V') of R has square-fidelity close to 1 with state 
\4'good{'^)) of a successful simulation, i.e., 

{(t>goodW\p{lp)\(f>goodW) > 1 - £ 

with error bound < e < |. Note that for the special case where p equals 1/2 and is independent 
of l'^), the simulation terminates after at most one rewinding. 

However, we cannot apply the exact version of Watrous' rewinding lemma in our simulation, 
since the commitment scheme in the protocol is only (quantum-) computationally hiding. In- 
stead, we must allow for small perturbations in the quantum rewinding procedure as follows. Let 
adv denote B*'s advantage over a random guess on the committed value due to his computing 
power, i.e. adv = |p — 1/2|. Prom the hiding property, it follows that adv is negligible in the 
security parameter n. Thus, we can argue that the success probability p is close to independent 
of the auxiliary input and Watrous' quantum rewinding lemma with small perturbations, as 
stated below (Lemma 3.3) applies with q = ^ and e = adv. 

Lemma 3.3 (Quantum Rewinding Lemma with small perturbations [Wat09]). Let Q 

be the unitary {h, k)-quantum circuit as given in [Wat09]. Furthermore, let po,q G (0,1) and 
£ G (0, ^) be real numbers such that 

1. \p — q\ < £ 

2. po(l - Po) < Q'(l - q), and 

3. po<p 

for all h-qubit states |^). Then there exists a general quantum circuit R of size 

^ nog{l/£)size{Q ) 
V Po(l-Po) 

such that, for every n-qubit state {i/j), the output p{ip) of R satisfies 

{(f>goodW\p{lp)\(l>good{lp)) > 1 - e' 

where e' = IGe-^^^r^i^ . 

Note that all operations in Q can be performed by polynomial-size circuits, and thus, the 
simulator has polynomial size (in the worst case). Furthermore, po denotes the lower bound on 
the success probability p, for which the procedure guarantees correctness. For negligible e but 
non-negligible po, it follows that e' is negligible, and hence, the "closeness" of output /9(^) with 
good state \(pgood{tp)) is slightly reduced but quantum rewinding remains possible. For a more 
detailed description of the lemma and the corresponding proofs, we refer to [Wat09]. 

Finally, to proof security against quantum B*, we construct an ideal- world quantum simulator 
B* (see Fig. 4), interacting with B* and the ideal functionality Tco\n and executing Watrous' 
quantum rewinding algorithm. We then compare the output states of the real process and the 
ideal process. In case of indistinguishable outputs, quantum-computational security against B* 
follows. 
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Ideal — World Simulation B*: 

1. B* gets B*'s auxiliary quantum input W and working registers X. 

2. B* sends start and then ok to ^coin- It receives a uniformly random coin. 

3. Depending on the value of coin, B* applies the corresponding circuit Rcoin with input W, X, B* and coin. 

4. B* receives output register Y with \4>good{ip)} and "measures the conversation" to retrieve the corre- 
sponding {com{a,r),b,open{a,r)). It outputs whatever B* outputs. 



Fig. 4. The Ideal- World Simulation B*. 



First note that the superposition constructed as described above in circuit Q as Step (1) 
corresponds to all possible random choices of values in the real protocol. Furthermore, the 
circuit models any possible strategy of quantum B* in Step (2), depending on control register 
\co'm{a, r))^^. The CNOT-operation on {B, G) in Step (3), followed by a standard measurement 
of G, indicate whether the guess b' on B*'s choice b was correct. If that was not the case (i.e. 
b b' and measurement result 1), the system gets quantumly rewound by applying reverse 
transformations (3)-(l), followed by a phase-flip operation. The procedure is repeated until the 
measurement outcome is and hence b = b'. Watrous' technique then guarantees that, assuming 
negligible e and non-negligible po, then e' is negligible and thus, the final output p{ip) of the 
simulation is close to good state {(pgoodii^)) ■ It follows that the output of the ideal simulation is 
indistinguishable from the output in the real-world for any quantum-computationally bounded 
B*. □ 



4 Applications 

4.1 Interactive Quantum Zero-Know^ledge 

Zero- knowledge proofs are an important building block for larger cryptographic protocols. The 
notion of (interactive) zero-knowledge (ZK) was introduced by Goldwasscr et al. [GMR85]. 
Informally, ZK proofs for any NP language L yield no other knowledge to the verifier than the 
validity of the assertion proved, i.e. x G L. Thus, only this one bit of knowledge is communicated 
from prover to verifier and zero additional knowledge. For a survey about zero-knowledge, see 
for instance [Gol01,Gol02]. 

Blum et al. [BFM88] showed that the interaction between prover and verifier in any ZK 
proof can be replaced by sharing a short, random common reference string according to some 
distribution and available to all parties from the start of the protocol. Note that a CRS is a 
weaker requirement than interaction. Since all information is communicated mono-directional 
from prover to verifier, we do not have to require any restriction on the verifier. 

As in the classical case, where ZK protocols exist if one-way functions exist, quantum zero- 
knowledge (QZK) is possible under the assumption that quantum one-way functions exist. 
In [KobOS] , Kobayashi showed that a common reference string or shared entanglement is neces- 
sary for non-interactive quantum zero-knowledge. Interactive quantum zero-knowledge protocols 
in restricted settings were proposed by Watrous in the honest verifier setting [Wat02] and by 
Damgard et al. in the CRS model [DFS04] , where the latter introduced the first 1^-protocols for 
QZK withstanding even active quantum attacks. In [Wat09], Watrous then proved that several 
interactive protocols are zero-knowledge against general quantum attacks. 

Recently, Hallgren et al. [HKSZ08] showed how to transform a Z'-protocol with stage-by-stage 
honest verifier zero-knowledge into a new 1^-protocol that is zero-knowledge against all classical 
and quantum verifiers. They propose special bit commitment schemes to limit the number of 
rounds, and view each round as a stage in which an honest verifier simulator is assumed. Then, 
by using a technique of [DGW94], each stage can be converted to obtain zero-knowledge against 
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any classical verifier. Finally, Watrous' quantum rewinding lemma is applied in each stage to 
prove zero-knowledge also against any quantum verifier. 

Here, we propose a simpler transformation from non-interactive (quantum) zero-knowledge 
(NIZK) to interactive quantum zero-knowledge (IQZK) by combining the Coin — Flip Protocol 
with any NIZK Protocol. Our coin-flipping generates a truly random coin even in the case of 
a malicious quantum verifier. A sequence of such coins can then be used in any subsequent 
NIZK Protocol, which is also secure against quantum verifiers, due to its mono-direction. Here, 
we define a (NIZK)-subprotocol as given in [BFM88]: Both parties A and B get common input 
X. A common reference string a; of size k allows the prover A, who knows a witness w, to give a 
non-interactive zero-knowledge proof 7r(LJ, to a (quantum-) computationally bounded verifier 
B. By definition, the (NIZK)-subprotocol is complete and sound and satisfies zero-knowledge. 

The IQZK Protocol is shown in Figure 7. To prove that it is an interactive quantum zero- 
knowledge protocol, we first construct an intermediate IQZK-^coin Protocol (see Fig. 5) that runs 
with the ideal functionality J-QOm- Then we prove that the IQZK-'^coin 

Protocol satisfies com- 
pleteness, soundness and zero-knowlcdgc according to standard definitions. Finally, by replacing 
the calls to ^coiN with our Coin — Flip Protocol, we can complete the transformation to the 
final IQZK Protocol. 



IQZK^coiN Protocol: 
(COIN) 

1. A and B invoke Tcom k times. If A blocks any output cxnui for i = 1, . . . , A; (by sending refuse as second 
input), B aborts the protocol. 

(CRS) 

2. A and B compute a; = comi . . . coiuk- 
(NIZK) 

3. A sends 7r(a;, x) to B. B checks the proof and accepts or rejects accordingly. 



Fig. 5. Intermediate Protocol for IQZK. 

Completeness: If x E L, the probability that (A, B) rejects x is negligible in the length of x. 

Prom the ideal functionality .7x01 N it follows that each coiui in Step 1 is uniformly random 
for alH = 1, . . . ,k. Hence, to in Step 2 is a uniformly random common reference string of size k. 
By definition of any (NIZK)-subprotocol, we have acceptance probability 

Pr[uj {0, 1}*^, 7r(a;, x) <- A{uj, x, w) : B{u, x, ^{uj, x)) = 1] > 1 - e", 

where e" is negligible in the length of x. Thus, completeness for the IQZK-^cgin Protocol follows. 

Soundness: If x ^ L, then for any unbounded prover A*, the probability that (A*, B) accepts x 
is negligible in the length of x. 

Any dishonest A* might stop the IQZK'^'^°"^ Protocol at any point during execution. For 
example, she can block the output in Step 1 or she can refuse to send a proof tt in the (NIZK)- 
subprotocol. Furthermore, A* can use an invalid uj (or x) for vr. In all of these cases, B will abort 
without even checking the proof. Therefore, A*'s best strategy is to "play the entire game", i.e. 
to execute the entire IQZK'^coin Protocol without making obvious cheats. 

A* can only convince B in the (NIZK)-subprotocol of a tt for any given (i.e. normally generated) 
00 with negligible probability 

Pr[uj {0, l}'^,-n{uj,x) <- A*{oo,x) : B{uo,x,tt{u,x)) = 1] . 
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Therefore, the probabihty that A* can convince B in the entire IQZK-^coin protocol in case of 
X ^ L is also neghgible (in the length of x) and its soundness follows. 

Zero-Knowledge: An interactive proof system (A, B*) for language L is quantum zero-knowledge, 
if for any quantum verifier B*, there exists a simulator Sjq^kJ^coin ? such that Sjq2K^coiiM ^ (A, B*) 
on common input x E L and arbitrary additional (quantum) input to B*. 

We construct simulator Sj^^k^cqin > interacting with dishonest B* and simulator Snizk- Under 
the assumption on the zero-knowledge property of any NIZK Protocol, there exists a simulator 
Snizk that, on input x 6 L, generates a randomly looking lo together with a valid proof n for 
x (without knowing witness w). Sjq2K-^coiN is described in Figure 6. It receives a random string 
Lo from Skizk, which now replaces the string of coins produced by the calls to .7-coiN in the 
Protocol. The "merging" of coins into lu in Step 2 of the protocol (Fig. 5) is equiva- 
lent to the "splitting" of co into coins in Step 3 of the simulation (Fig. 6). Thus, the simulated 
proof 7r{oj,x) is indistinguishable from a real proof, which shows that the IQZK-^coin Protocol is 
zero-knowledge . 



^iqZK^COIN • 




1- SigzK^coiN gets input x. 




2. It invokes Shizk with x 


and receives ■k{uj,x). 


3. Let LU — coini . . . coink 


■ ^iqzK^coiN sends each coirii one by one to B*. 


4- SjgzK^coiN sends tt{uj,x) 


to B* and outputs whatever B* outputs. 



Fig. 6. The Simulation of the Intermediate Protocol for IQZK. 



IQZK Protocol: 

(CFP) For alH = 1, . . . , fe repeat Steps 1.-4. 

1. A chooses Oj €r {0, 1} and computes com{ai,ri). She sends com{ai,ri) to B. 

2. B chooses hi €r {0, 1} and sends bi to A. 

3. A sends open{ai,ri) and B checks if the opening is valid. 

4. Both compute coirii = Oi ® 6i. 

(CRS) 

5. A and B compute lo = coini . . . coiuk- 
(NIZK) 

6. A sends 7r(w, x) to B. B checks the proof and accepts or rejects accordingly. 



Fig. 7. Interactive Quantum Zero-Knowledge. 



It would be natural to think that the IQZK Protocol could be proved secure simply by 
showing that the IQZK-^coin Protocol implements some appropriate functionality and then use 
the composition theorem from [FS09]. Unfortunately, a zero-knowledge protocol - which is not 
necessarily a proof of knowledge - cannot be modeled by a functionality in a natural way. We 
therefore instead prove explicitly that the IQZK Protocol has the standard properties of a zero- 
knowledge proof as follows. 
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Completeness: Prom the analysis of the Coin — Flip Protocol and its indistinguishabihty 

from the ideal functionality ^coiNj it follows that if both players honestly choose random bits, 
each coiiii for all i = 1, .... /c in the (CFP)-subprotocol is generated uniformly at random. Thus, 
a; is a random common reference string of size k and the acceptance probability of the (NIZK)- 
subprotocol as given above holds. Completeness for the IQZK Protocol follows. 

Soundness: Again, we only consider the case where A* executes the entire protocol without 
making obvious cheats, since otherwise, B immediately aborts. Assume that A* could cheat in 
the IQZK Protocol, i.e., B would accept an invalid proof with non-negligible probability. Then 
wc could combine A* with simulator A* of the Coin — Flip Protocol (Fig. 3) to show that 
the IQZK-^coiN p^ot ocol was not sound. This, however, is inconsistent with the previously given 
soundness argument and thus proves by contradiction that the IQZK Protocol is sound. 

Zero-Knowledge: A simulator Siqzk can be composed of simulator Sjq2K^coiN (Fig- 6) and 

simulator B* for the Coin — Flip Protocol (Fig. 4). Siqzk gets classical input x as well as 
quantum input W and X. It then receives a valid proof tt and a random string to from Snizk- 
As in SjQ2K-^coiN ) is split into coirii . . . coiuk. For each coiui, it will then invoke B* to simulate 
one coin-flip execution with coiui as result. In other words, whenever B* asks J^com to output 
a bit (Step 2, Fig. 4), it instead receives this coirii. The transcript of the simulation, i.e. 7r(ct;,a;) 
as well as {com{ai, ri),bi, open{ai,ri)) Vi = 1, . . . ,k and uj = coini . . . coirii, is indistinguishable 
from the transcript of the IQZK Protocol for any quantum-computationally bounded B*, which 
concludes the zero-knowledge proof. 

4.2 Generating Commitment Keys for Improved Quantum Protocols 

Recently, Damgard et al. [DFL^09] proposed a general compiler for improving the security of 
a large class of quantum protocols. Alice starts such protocols by transmitting random BB84- 
qubits to Bob who measures them in random bases. Then some classical messages are exchanged 
to accomplish different cryptographic tasks. The original protocols are typically unconditionally 
secure against cheating Alice, and secure against a so-called benignly dishonest Bob, i.e.. Bob 
is assumed to handle most of the received qubits as he is supposed to. Later on in the pro- 
tocol, he can deviate arbitrarily. The improved protocols are then secure against an arbitrary 
computationally bounded (quantum) adversary. The compilation also preserves security in the 
bounded-quantum-storage model (BQSM) that assumes the quantum storage of the adversary 
to be of limited size. If the original protocol was BQSM-secure, the improved protocol achieves 
hybrid security, i.e., it can only be broken by an adversary who has large quantum memory and 
large computing power. 

Briefly, the argument for computational security proceeds along the following lines. After the 
initial qubit transmission from A to B, B commits to all his measurement bases and outcomes. 
The (keyed) dual-mode commitment scheme that is used must have the special properties that 
the key can be generated by one of two possible key-generation algorithms: Qn or Q^. Depending of 
the key in use, the scheme provides both flavors of security. Namely, with key pkH generated by Qyi, 
respectively pkB produced by Q^i the commitment scheme is unconditionally hiding respectively 
unconditionally binding. Furthermore, the scheme is secure against a quantum adversary and it 
holds that pkH pkB. The commitment construction is described in full detail in [DFL+09]. 

In the real-life protocol, B uses the unconditionally hiding key pkH to maintain unconditional 
security against any unbounded A*. To argue security against a computationally bounded B*, 
an information-theoretic argument involving simulator B' (see [DFL'^OQ]) is given to prove that 
B* cannot cheat with the unconditionally binding key pkB. Security in real life then follows from 
the quantum-computational indistinguishabihty of pkH and pkB. 

The CRS model is assumed to achieve high efficiency and practicability. Here, we discuss 
integrating the generation of a common reference string from scratch based on our quantum- 



11 



secure coin-flipping. Thus, we can implement the entire process in the quantum world, starting 
with the generation of a CRS without any initially shared information and using it during 
compilation as commitment key.^ 

As mentioned in [DFL^09], a dual-mode commitment scheme can be constructed from the 
lattice-based cryptosystem of Regev [Reg05]. It is based on the learning with error problem, which 
can be reduced from worst-case (quantum) hardness of the (general) shortest vector problem. 
Hence, breaking Regev's cryptosystem implies an efficient algorithm for approximating the lattice 
problem, which is assumed to be hard even quantumly. Briefly, the cryptosystem uses dimension 
k as security parameter and is parametrized by two integers m and p, where p is a prime, and 
a probability distribution on Zp. A regular public key for Regev's scheme is indistinguishable 
from a case where a public key is chosen independently from the secret key, and in this case, the 
ciphertext carries essentially no information about the message. Thus, the public key of a regular 
key pair can be used as the unconditional binding key pkB' in the commitment scheme for the 
ideal-world simulation. Then for the real protocol, an unconditionally hiding commitment key 
pkH' can simply be constructed by uniformly choosing numbers in x Zp. Both public keys 
will be of size O {mk log p), and the encryption process involves only modular additions, which 
makes its use simple and efficient. 

The idea is now the following. We add (at least) k executions of our Coin — Flip Protocol 
as a first step to the construction of [DFL+09] to generate a uniformly random sequence 
coini . . .coiuk- These k random bits produce a pkH' as sampled by Qn, except with negligible 
probability. Hence, in the real-world, Bob can use coini . . . coiuk = pkH' as key for committing 
to all his basis choices and measurement outcomes. Since an ideal-world adversary B' is free to 
choose any key, it can generate (pkB', sk'), i.e. a regular public key together with a secret key 
according to Regev's cryptosystem. For the security proof, write pkB' = coini ■ ■ ■ coin^. In the 
simulation, B' first invokes B* for each coirii to simulate one coin-flip execution with coirii as 
result. As before, whenever B* asks J-Qom to output a bit, it instead receives this coini. Then 
B' has the possibility to decrypt dishonest B*'s commitments during simulation, which binds 
B* unconditionally to his committed measurement bases and outcomes. Finally, as we proved in 
the analysis of the Coin — Flip Protocol that pkH' is a uniformly random string, Regev's proof 
of semantic security shows that pkH' pkB', and (quantum-) computational security of the real 
protocols in [DFL+09] follows. 

5 On Efficient Simulation in the CRS Model 

For our Coin — Flip Protocol in the plain model, we cannot claim universal composability. As 
already mentioned, in case of unconditional security against dishonest A* according to Defini- 
tion 2.2, we do not require the simulator to be efficient. In order to achieve efficient simulation, 
A* must be able to extract the choice bit efficiently out of A*'s commitment, such that A*'s 
input is defined after this step. The standard approach to do this is to give the simulator some 
trapdoor information related to the common reference string, that A* does not have in real life. 
Therefore, we extend the commitment scheme to build in such a trapdoor and ensure efficient 
extraction. To further guarantee UC-security, we circumvent the necessity of rewinding B* by 
extending the construction also with respect to equivocability. 

We will adapt an approach to our set-up, which is based on the idea of UC-commitments 
[CFOl] and already discussed in the full version of [DFL+09]. We require a Z'-protocol for a 
(quantumly) hard relation R = {{x, vj)}, i.e. an honest verifier perfect zero-knowledge interactive 
proof of knowledge, where the prover shows that he knows a witness w such that the problem 
instance x is in the language L {{x,w) G R). Conversations are of form {aj:,cs, zjj), where the 
prover sends as, the verifier challenges him with bit cs, and the prover replies with z^- For 

^ Note that implementing the entire process comes at the cost of a non constant-round construction, added to 
otherwise very efficient protocols under the CRS-assumption. 
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practical candidates of R, see e.g. [DFS04]. Instead of the simple commitment scheme, we use 
the keyed dual-mode commitment scheme described in Section 4.2 but now based on a multi-bit 
version of Regev's scheme [PVW08]. Still we construct it such that depending of the key pkH or 

q 

pkB, the scheme provides both flavors of security and it holds that pkH « pkB. 

In real life, the CRS consists of commitment key pkB and an instance x' for which it holds that 
$ w' such that {x', w') G R, where we assume that x ^ x' . To commit to bit a, A runs the honest 
verifier simulator to get a conversation (ax', a, -zi;). She then sends ox' and two commitments 
co,ci to B, where Ca = com-p)sB{zE-,r) and ci_a = compkB(0^ ,r') with randomness r, r' and 
z' = \z\. Then, a, ze-, r is send to open the relevant one of cq or ci, and B checks that {ajj, a, zj]) 
is an accepting conversation. Assuming that the i7-protocol is honest verifier zero-knowledge 
and pkB leads to unconditionally binding commitments, the new commitment construction is 
again unconditionally binding. 

During simulation, A* chooses a pkB in the CRS such that it knows the matching decryption 
key sk. Then, it can extract A*'s choice bit a by decrypting both cq and c\ and checking which 
contains a valid z^: such that (ax, a, z^) is accepting. Note that not both cq and ci can contain 
a valid reply, since otherwise. A* would know a w' such that (x', w') & R. In order to simulate in 
case of B*, B* chooses the CRS as pkH and x (where x is such that there exists a w with {x, w) G 
R). Hence, the commitment is unconditionally hiding. Furthermore, it can be equivocated, since 
3 w with {x,w) G R and therefore, cq,ci can both be computed with valid replies, i.e. cg = 
comp^Yi{zQE,r) and ci = comp]^}i{zix;,r'). Quantum-computational security against B* follows 
from the indistinguishability of the keys pkB and pkH and the indistinguishablity of the instances 
x and x', and efficiency of both simulations is ensured due to extraction and equivocability. 
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